Sloppy coding + huge PSD2 changes = Lots of late nights for banking devs next year

“We believe that major operational and security incidents taken together are a reasonable proxy for the resilience of firms’ systems and controls, and in practice they are often closely related,” the FCA said.

The metric will be based on major incidents reported to the regulator, as required under the European Union's Second Payment Services Directive (PSD2).

Most respondents to a consultation [PDF] on the proposals – including some firms, consumer groups and trade bodies – said they supported the publication of a metric based on PSD2 major incident reports.

A “small number of firms”, though, did not agree, saying that such a metric might encourage hackers to target weaker firms.

Others questioned whether it would “add significantly” to the information customers see reported in the media (certainly Reg readers are kept up to date on the oh-so-regular bankingTITSUPs).

But the FCA pointed out that – although it recognised the power of large-scale media coverage – it wasn’t the most consistent or reliable way to provide people with crucial service information.

“We consider that the number of major incidents reported to the regulator provides a more consistent and systematic basis for comparison between firms,” the FCA said.

Others suggested providing stats on customer access to current accounts, such as percentage availability, but the FCA said this was unlikely to be consistent enough across providers.

The change comes as the FCA revealed it suspects that banks are being coy about the level of cyber attacks levelled against them.

“Our suspicion is that there’s currently a material under-reporting of successful cyber attacks in the financial sector,” the FCA’s Megan Butler said at a conference earlier this month.

“Certainly the number of breaches relayed back to us looks modest when you set it against the number of attacks on the industry.”

She emphasised that the FCA expected banks to deal with the authority “in an open, transparent manner” and that it is “essential we know about breaches in real time”.

Butler also urged banks to ensure they know what data they hold, can manage the risks related to it and ensure they have proper responses planned for cyber attacks. ®